Example 16 with SignedJWTInfo
use of org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo in project carbon-apimgt by wso2.
the class JWTUtil method handleScopeValidation.
/**
* Handle scope validation
*
* @param accessToken JWT token
* @param signedJWTInfo : Signed token info
* @param message : inbound message context
*/
public static boolean handleScopeValidation(HashMap<String, Object> message, SignedJWTInfo signedJWTInfo, String accessToken) throws APIManagementException, ParseException {
String maskedToken = message.get(RestApiConstants.MASKED_TOKEN).toString();
OAuthTokenInfo oauthTokenInfo = new OAuthTokenInfo();
oauthTokenInfo.setAccessToken(accessToken);
oauthTokenInfo.setEndUserName(signedJWTInfo.getJwtClaimsSet().getSubject());
String scopeClaim = signedJWTInfo.getJwtClaimsSet().getStringClaim(APIConstants.JwtTokenConstants.SCOPE);
if (scopeClaim != null) {
String orgId = (String) message.get(RestApiConstants.ORG_ID);
String[] scopes = scopeClaim.split(APIConstants.JwtTokenConstants.SCOPE_DELIMITER);
scopes = java.util.Arrays.stream(scopes).filter(s -> s.contains(orgId)).map(s -> s.replace(APIConstants.URN_CHOREO + orgId + ":", "")).toArray(size -> new String[size]);
oauthTokenInfo.setScopes(scopes);
if (validateScopes(message, oauthTokenInfo)) {
// Add the user scopes list extracted from token to the cxf message
message.put(RestApiConstants.USER_REST_API_SCOPES, oauthTokenInfo.getScopes());
// If scope validation successful then set tenant name and user name to current context
String tenantDomain = MultitenantUtils.getTenantDomain(oauthTokenInfo.getEndUserName());
int tenantId;
PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
RealmService realmService = (RealmService) carbonContext.getOSGiService(RealmService.class, null);
try {
String username = oauthTokenInfo.getEndUserName();
if (MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
// when the username is an email in supertenant, it has at least 2 occurrences of '@'
long count = username.chars().filter(ch -> ch == '@').count();
// in the case of email, there will be more than one '@'
boolean isEmailUsernameEnabled = Boolean.parseBoolean(CarbonUtils.getServerConfiguration().getFirstProperty("EnableEmailUserName"));
if (isEmailUsernameEnabled || (username.endsWith(SUPER_TENANT_SUFFIX) && count <= 1)) {
username = MultitenantUtils.getTenantAwareUsername(username);
}
}
if (log.isDebugEnabled()) {
log.debug("username = " + username + "masked token " + maskedToken);
}
tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
carbonContext.setTenantDomain(tenantDomain);
carbonContext.setTenantId(tenantId);
carbonContext.setUsername(username);
if (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
APIUtil.loadTenantConfigBlockingMode(tenantDomain);
}
return true;
} catch (UserStoreException e) {
log.error("Error while retrieving tenant id for tenant domain: " + tenantDomain, e);
}
log.debug("Scope validation success for the token " + maskedToken);
return true;
}
log.error("scopes validation failed for the token" + maskedToken);
return false;
}
log.error("scopes validation failed for the token" + maskedToken);
return false;
}
Also used :
URITemplate(org.wso2.carbon.apimgt.api.model.URITemplate)
MultitenantConstants(org.wso2.carbon.utils.multitenancy.MultitenantConstants)
APIUtil(org.wso2.carbon.apimgt.impl.utils.APIUtil)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
URITemplateException(org.wso2.uri.template.URITemplateException)
Set(java.util.Set)
PrivilegedCarbonContext(org.wso2.carbon.context.PrivilegedCarbonContext)
HashMap(java.util.HashMap)
RealmService(org.wso2.carbon.user.core.service.RealmService)
APIConstants(org.wso2.carbon.apimgt.impl.APIConstants)
CarbonUtils(org.wso2.carbon.utils.CarbonUtils)
List(java.util.List)
MultitenantUtils(org.wso2.carbon.utils.multitenancy.MultitenantUtils)
RestApiConstants(org.wso2.carbon.apimgt.rest.api.common.RestApiConstants)
SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)
APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException)
Map(java.util.Map)
OAuthTokenInfo(org.wso2.carbon.apimgt.api.OAuthTokenInfo)
Log(org.apache.commons.logging.Log)
LogFactory(org.apache.commons.logging.LogFactory)
Scope(org.wso2.carbon.apimgt.api.model.Scope)
ParseException(java.text.ParseException)
RealmService(org.wso2.carbon.user.core.service.RealmService)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
OAuthTokenInfo(org.wso2.carbon.apimgt.api.OAuthTokenInfo)
PrivilegedCarbonContext(org.wso2.carbon.context.PrivilegedCarbonContext)
Example 17 with SignedJWTInfo
use of org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo in project carbon-apimgt by wso2.
the class JWTValidatorTest method testJWTValidatorInvalid.
@Test
public void testJWTValidatorInvalid() throws ParseException, APIManagementException, IOException, APISecurityException {
Mockito.when(privilegedCarbonContext.getTenantDomain()).thenReturn("abc.com");
SignedJWT signedJWT = SignedJWT.parse("eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UZG1aak00WkRrM05qWTBZemM1T" + "W1abU9EZ3dNVEUzTVdZd05ERTVNV1JsWkRnNE56YzRaQT09In0" + ".eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV" + "3YXkiLCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhcHBsaWNhdGlvbiI6eyJvd25lciI6ImFkbWluIiwidGllclF1b3RhVHlwZ" + "SI6InJlcXVlc3RDb3VudCIsInRpZXIiOiJVbmxpbWl0ZWQiLCJuYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiaWQiOjEsInV1aWQ" + "iOm51bGx9LCJzY29wZSI6ImFtX2FwcGxpY2F0aW9uX3Njb3BlIGRlZmF1bHQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0" + "NDNcL29hdXRoMlwvdG9rZW4iLCJ0aWVySW5mbyI6e30sImtleXR5cGUiOiJQUk9EVUNUSU9OIiwic3Vic2NyaWJlZEFQSXMiOltdL" + "CJjb25zdW1lcktleSI6IlhnTzM5NklIRks3ZUZZeWRycVFlNEhLR3oxa2EiLCJleHAiOjE1OTAzNDIzMTMsImlhdCI6MTU5MDMzO" + "DcxMywianRpIjoiYjg5Mzg3NjgtMjNmZC00ZGVjLThiNzAtYmVkNDVlYjdjMzNkIn0" + ".sBgeoqJn0log5EZflj_G7ADvm6B3KQ9bdfF" + "CEFVQS1U3oY9" + "-cqPwAPyOLLh95pdfjYjakkf1UtjPZjeIupwXnzg0SffIc704RoVlZocAx9Ns2XihjU6Imx2MbXq9ARmQxQkyGVkJ" + "UMTwZ8" + "-SfOnprfrhX2cMQQS8m2Lp7hcsvWFRGKxAKIeyUrbY4ihRIA5vOUrMBWYUx9Di1N7qdKA4S3e8O4KQX2VaZPBzN594c9TG" + "riiH8AuuqnrftfvidSnlRLaFJmko8-QZo8jDepwacaFhtcaPVVJFG4uYP-_" + "-N6sqfxLw3haazPN0_xU0T1zJLPRLC5HPfZMJDMGp" + "EuSe9w");
SignedJWTInfo signedJWTInfo = new SignedJWTInfo(signedJWT.getParsedString(), signedJWT, signedJWT.getJWTClaimsSet());
ExtendedJWTConfigurationDto jwtConfigurationDto = new ExtendedJWTConfigurationDto();
JWTValidationService jwtValidationService = Mockito.mock(JWTValidationService.class);
APIKeyValidator apiKeyValidator = Mockito.mock(APIKeyValidator.class);
Cache gatewayTokenCache = Mockito.mock(Cache.class);
Cache invalidTokenCache = Mockito.mock(Cache.class);
Cache gatewayKeyCache = Mockito.mock(Cache.class);
Cache gatewayJWTTokenCache = Mockito.mock(Cache.class);
JWTValidationInfo jwtValidationInfo = new JWTValidationInfo();
jwtValidationInfo.setValid(false);
jwtValidationInfo.setIssuer("https://localhost");
jwtValidationInfo.setRawPayload(signedJWT.getParsedString());
jwtValidationInfo.setJti(UUID.randomUUID().toString());
jwtValidationInfo.setConsumerKey(UUID.randomUUID().toString());
jwtValidationInfo.setValidationCode(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS);
jwtValidationInfo.setUser("user1");
jwtValidationInfo.setKeyManager("Default");
Mockito.when(jwtValidationService.validateJWTToken(signedJWTInfo)).thenReturn(jwtValidationInfo);
JWTValidatorWrapper jwtValidator = new JWTValidatorWrapper("Unlimited", true, apiKeyValidator, false, null, jwtConfigurationDto, jwtValidationService, invalidTokenCache, gatewayTokenCache, gatewayKeyCache, gatewayJWTTokenCache);
MessageContext messageContext = Mockito.mock(Axis2MessageContext.class);
org.apache.axis2.context.MessageContext axis2MsgCntxt = Mockito.mock(org.apache.axis2.context.MessageContext.class);
Mockito.when(axis2MsgCntxt.getProperty(Constants.Configuration.HTTP_METHOD)).thenReturn("GET");
Map<String, String> headers = new HashMap<>();
Mockito.when(axis2MsgCntxt.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS)).thenReturn(headers);
Mockito.when(((Axis2MessageContext) messageContext).getAxis2MessageContext()).thenReturn(axis2MsgCntxt);
Mockito.when(messageContext.getProperty(RESTConstants.REST_API_CONTEXT)).thenReturn("/api1");
Mockito.when(messageContext.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION)).thenReturn("1.0");
Mockito.when(messageContext.getProperty(APIConstants.API_ELECTED_RESOURCE)).thenReturn("/pet/findByStatus");
APIManagerConfiguration apiManagerConfiguration = Mockito.mock(APIManagerConfiguration.class);
Mockito.when(apiManagerConfiguration.getFirstProperty(APIConstants.JWT_AUTHENTICATION_SUBSCRIPTION_VALIDATION)).thenReturn("true");
jwtValidator.setApiManagerConfiguration(apiManagerConfiguration);
OpenAPIParser parser = new OpenAPIParser();
String swagger = IOUtils.toString(this.getClass().getResourceAsStream("/swaggerEntry/openapi.json"));
OpenAPI openAPI = parser.readContents(swagger, null, null).getOpenAPI();
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
apiKeyValidationInfoDTO.setApiName("api1");
apiKeyValidationInfoDTO.setApiPublisher("admin");
apiKeyValidationInfoDTO.setApiTier("Unlimited");
apiKeyValidationInfoDTO.setAuthorized(true);
try {
AuthenticationContext authenticate = jwtValidator.authenticate(signedJWTInfo, messageContext);
Assert.fail("JWT get Authenticated");
} catch (APISecurityException e) {
Assert.assertEquals(e.getErrorCode(), APISecurityConstants.API_AUTH_INVALID_CREDENTIALS);
}
Mockito.when(invalidTokenCache.get(signedJWT.getJWTClaimsSet().getJWTID())).thenReturn("carbon.super");
String cacheKey = GatewayUtils.getAccessTokenCacheKey(signedJWT.getJWTClaimsSet().getJWTID(), "/api1", "1.0", "/pet/findByStatus", "GET");
try {
jwtValidator.authenticate(signedJWTInfo, messageContext);
} catch (APISecurityException e) {
Assert.assertEquals(e.getErrorCode(), APISecurityConstants.API_AUTH_INVALID_CREDENTIALS);
}
Mockito.verify(apiKeyValidator, Mockito.never()).validateSubscription(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
Mockito.verify(gatewayTokenCache, Mockito.atLeast(1)).get(signedJWT.getJWTClaimsSet().getJWTID());
Mockito.verify(gatewayKeyCache, Mockito.never()).get(cacheKey);
}
Also used :
APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)
APIManagerConfiguration(org.wso2.carbon.apimgt.impl.APIManagerConfiguration)
AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)
HashMap(java.util.HashMap)
JWTValidationService(org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)
APIKeyValidator(org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)
OpenAPIParser(io.swagger.parser.OpenAPIParser)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWTValidationInfo(org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)
ExtendedJWTConfigurationDto(org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)
MessageContext(org.apache.synapse.MessageContext)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)
OpenAPI(io.swagger.v3.oas.models.OpenAPI)
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
Cache(javax.cache.Cache)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 18 with SignedJWTInfo
use of org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo in project carbon-apimgt by wso2.
the class JWTValidatorTest method testJWTValidatorInvalidConsumerKey.
@Test
public void testJWTValidatorInvalidConsumerKey() throws ParseException, APIManagementException, IOException, APISecurityException {
Mockito.when(privilegedCarbonContext.getTenantDomain()).thenReturn("carbon.super");
SignedJWT signedJWT = SignedJWT.parse("eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UZG1aak00WkRrM05qWTBZemM1T" + "W1abU9EZ3dNVEUzTVdZd05ERTVNV1JsWkRnNE56YzRaQT09In0" + ".eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV" + "3YXkiLCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhcHBsaWNhdGlvbiI6eyJvd25lciI6ImFkbWluIiwidGllclF1b3RhVHlwZ" + "SI6InJlcXVlc3RDb3VudCIsInRpZXIiOiJVbmxpbWl0ZWQiLCJuYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiaWQiOjEsInV1aWQ" + "iOm51bGx9LCJzY29wZSI6ImFtX2FwcGxpY2F0aW9uX3Njb3BlIGRlZmF1bHQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0" + "NDNcL29hdXRoMlwvdG9rZW4iLCJ0aWVySW5mbyI6e30sImtleXR5cGUiOiJQUk9EVUNUSU9OIiwic3Vic2NyaWJlZEFQSXMiOltdL" + "CJjb25zdW1lcktleSI6IlhnTzM5NklIRks3ZUZZeWRycVFlNEhLR3oxa2EiLCJleHAiOjE1OTAzNDIzMTMsImlhdCI6MTU5MDMzO" + "DcxMywianRpIjoiYjg5Mzg3NjgtMjNmZC00ZGVjLThiNzAtYmVkNDVlYjdjMzNkIn0" + ".sBgeoqJn0log5EZflj_G7ADvm6B3KQ9bdfF" + "CEFVQS1U3oY9" + "-cqPwAPyOLLh95pdfjYjakkf1UtjPZjeIupwXnzg0SffIc704RoVlZocAx9Ns2XihjU6Imx2MbXq9ARmQxQkyGVkJ" + "UMTwZ8" + "-SfOnprfrhX2cMQQS8m2Lp7hcsvWFRGKxAKIeyUrbY4ihRIA5vOUrMBWYUx9Di1N7qdKA4S3e8O4KQX2VaZPBzN594c9TG" + "riiH8AuuqnrftfvidSnlRLaFJmko8-QZo8jDepwacaFhtcaPVVJFG4uYP-_" + "-N6sqfxLw3haazPN0_xU0T1zJLPRLC5HPfZMJDMGp" + "EuSe9w");
SignedJWTInfo signedJWTInfo = new SignedJWTInfo(signedJWT.getParsedString(), signedJWT, signedJWT.getJWTClaimsSet());
ExtendedJWTConfigurationDto jwtConfigurationDto = new ExtendedJWTConfigurationDto();
JWTValidationService jwtValidationService = Mockito.mock(JWTValidationService.class);
APIKeyValidator apiKeyValidator = Mockito.mock(APIKeyValidator.class);
Cache gatewayTokenCache = Mockito.mock(Cache.class);
Cache invalidTokenCache = Mockito.mock(Cache.class);
Cache gatewayKeyCache = Mockito.mock(Cache.class);
Cache gatewayJWTTokenCache = Mockito.mock(Cache.class);
JWTValidationInfo jwtValidationInfo = new JWTValidationInfo();
jwtValidationInfo.setValid(true);
jwtValidationInfo.setIssuer("https://localhost");
jwtValidationInfo.setRawPayload(signedJWT.getParsedString());
jwtValidationInfo.setJti(UUID.randomUUID().toString());
jwtValidationInfo.setConsumerKey(UUID.randomUUID().toString());
jwtValidationInfo.setUser("user1");
jwtValidationInfo.setKeyManager("Default");
Mockito.when(jwtValidationService.validateJWTToken(signedJWTInfo)).thenReturn(jwtValidationInfo);
JWTValidatorWrapper jwtValidator = new JWTValidatorWrapper("Unlimited", true, apiKeyValidator, false, null, jwtConfigurationDto, jwtValidationService, invalidTokenCache, gatewayTokenCache, gatewayKeyCache, gatewayJWTTokenCache);
MessageContext messageContext = Mockito.mock(Axis2MessageContext.class);
org.apache.axis2.context.MessageContext axis2MsgCntxt = Mockito.mock(org.apache.axis2.context.MessageContext.class);
Mockito.when(axis2MsgCntxt.getProperty(Constants.Configuration.HTTP_METHOD)).thenReturn("GET");
Map<String, String> headers = new HashMap<>();
Mockito.when(axis2MsgCntxt.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS)).thenReturn(headers);
Mockito.when(((Axis2MessageContext) messageContext).getAxis2MessageContext()).thenReturn(axis2MsgCntxt);
Mockito.when(messageContext.getProperty(RESTConstants.REST_API_CONTEXT)).thenReturn("/api1");
Mockito.when(messageContext.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION)).thenReturn("1.0");
Mockito.when(messageContext.getProperty(APIConstants.API_ELECTED_RESOURCE)).thenReturn("/pet/findByStatus");
APIManagerConfiguration apiManagerConfiguration = Mockito.mock(APIManagerConfiguration.class);
Mockito.when(apiManagerConfiguration.getFirstProperty(APIConstants.JWT_AUTHENTICATION_SUBSCRIPTION_VALIDATION)).thenReturn("true");
jwtValidator.setApiManagerConfiguration(apiManagerConfiguration);
OpenAPIParser parser = new OpenAPIParser();
String swagger = IOUtils.toString(this.getClass().getResourceAsStream("/swaggerEntry/openapi.json"));
OpenAPI openAPI = parser.readContents(swagger, null, null).getOpenAPI();
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
apiKeyValidationInfoDTO.setAuthorized(false);
apiKeyValidationInfoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_AUTH_RESOURCE_FORBIDDEN);
Mockito.when(apiKeyValidator.validateScopes(Mockito.any(TokenValidationContext.class), Mockito.anyString())).thenReturn(true);
Mockito.when(apiKeyValidator.validateSubscription(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString())).thenReturn(apiKeyValidationInfoDTO);
try {
jwtValidator.authenticate(signedJWTInfo, messageContext);
Assert.fail("JWT get Authenticated");
} catch (APISecurityException e) {
Assert.assertEquals(e.getErrorCode(), APISecurityConstants.API_AUTH_FORBIDDEN);
}
}
Also used :
APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)
APIManagerConfiguration(org.wso2.carbon.apimgt.impl.APIManagerConfiguration)
TokenValidationContext(org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)
HashMap(java.util.HashMap)
JWTValidationService(org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)
APIKeyValidator(org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)
OpenAPIParser(io.swagger.parser.OpenAPIParser)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWTValidationInfo(org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)
ExtendedJWTConfigurationDto(org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)
MessageContext(org.apache.synapse.MessageContext)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)
OpenAPI(io.swagger.v3.oas.models.OpenAPI)
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
Cache(javax.cache.Cache)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 19 with SignedJWTInfo
use of org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo in project carbon-apimgt by wso2.
the class JWTValidatorTest method testJWTValidatorTenant.
@Test
public void testJWTValidatorTenant() throws ParseException, APISecurityException, APIManagementException, IOException {
Mockito.when(privilegedCarbonContext.getTenantDomain()).thenReturn("abc.com");
SignedJWT signedJWT = SignedJWT.parse("eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UZG1aak00WkRrM05qWTBZemM1T" + "W1abU9EZ3dNVEUzTVdZd05ERTVNV1JsWkRnNE56YzRaQT09In0" + ".eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV" + "3YXkiLCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhcHBsaWNhdGlvbiI6eyJvd25lciI6ImFkbWluIiwidGllclF1b3RhVHlwZ" + "SI6InJlcXVlc3RDb3VudCIsInRpZXIiOiJVbmxpbWl0ZWQiLCJuYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiaWQiOjEsInV1aWQ" + "iOm51bGx9LCJzY29wZSI6ImFtX2FwcGxpY2F0aW9uX3Njb3BlIGRlZmF1bHQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0" + "NDNcL29hdXRoMlwvdG9rZW4iLCJ0aWVySW5mbyI6e30sImtleXR5cGUiOiJQUk9EVUNUSU9OIiwic3Vic2NyaWJlZEFQSXMiOltdL" + "CJjb25zdW1lcktleSI6IlhnTzM5NklIRks3ZUZZeWRycVFlNEhLR3oxa2EiLCJleHAiOjE1OTAzNDIzMTMsImlhdCI6MTU5MDMzO" + "DcxMywianRpIjoiYjg5Mzg3NjgtMjNmZC00ZGVjLThiNzAtYmVkNDVlYjdjMzNkIn0" + ".sBgeoqJn0log5EZflj_G7ADvm6B3KQ9bdfF" + "CEFVQS1U3oY9" + "-cqPwAPyOLLh95pdfjYjakkf1UtjPZjeIupwXnzg0SffIc704RoVlZocAx9Ns2XihjU6Imx2MbXq9ARmQxQkyGVkJ" + "UMTwZ8" + "-SfOnprfrhX2cMQQS8m2Lp7hcsvWFRGKxAKIeyUrbY4ihRIA5vOUrMBWYUx9Di1N7qdKA4S3e8O4KQX2VaZPBzN594c9TG" + "riiH8AuuqnrftfvidSnlRLaFJmko8-QZo8jDepwacaFhtcaPVVJFG4uYP-_" + "-N6sqfxLw3haazPN0_xU0T1zJLPRLC5HPfZMJDMGp" + "EuSe9w");
SignedJWTInfo signedJWTInfo = new SignedJWTInfo(signedJWT.getParsedString(), signedJWT, signedJWT.getJWTClaimsSet());
ExtendedJWTConfigurationDto jwtConfigurationDto = new ExtendedJWTConfigurationDto();
JWTValidationService jwtValidationService = Mockito.mock(JWTValidationService.class);
APIKeyValidator apiKeyValidator = Mockito.mock(APIKeyValidator.class);
Cache gatewayTokenCache = Mockito.mock(Cache.class);
Cache invalidTokenCache = Mockito.mock(Cache.class);
Cache gatewayKeyCache = Mockito.mock(Cache.class);
Cache gatewayJWTTokenCache = Mockito.mock(Cache.class);
JWTValidationInfo jwtValidationInfo = new JWTValidationInfo();
jwtValidationInfo.setValid(true);
jwtValidationInfo.setIssuer("https://localhost");
jwtValidationInfo.setRawPayload(signedJWT.getParsedString());
jwtValidationInfo.setJti(UUID.randomUUID().toString());
jwtValidationInfo.setIssuedTime(System.currentTimeMillis());
jwtValidationInfo.setExpiryTime(System.currentTimeMillis() + 5000L);
jwtValidationInfo.setConsumerKey(UUID.randomUUID().toString());
jwtValidationInfo.setUser("user1");
jwtValidationInfo.setKeyManager("Default");
Mockito.when(jwtValidationService.validateJWTToken(signedJWTInfo)).thenReturn(jwtValidationInfo);
JWTValidatorWrapper jwtValidator = new JWTValidatorWrapper("Unlimited", true, apiKeyValidator, false, null, jwtConfigurationDto, jwtValidationService, invalidTokenCache, gatewayTokenCache, gatewayKeyCache, gatewayJWTTokenCache);
MessageContext messageContext = Mockito.mock(Axis2MessageContext.class);
org.apache.axis2.context.MessageContext axis2MsgCntxt = Mockito.mock(org.apache.axis2.context.MessageContext.class);
Mockito.when(axis2MsgCntxt.getProperty(Constants.Configuration.HTTP_METHOD)).thenReturn("GET");
Map<String, String> headers = new HashMap<>();
Mockito.when(axis2MsgCntxt.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS)).thenReturn(headers);
Mockito.when(((Axis2MessageContext) messageContext).getAxis2MessageContext()).thenReturn(axis2MsgCntxt);
Mockito.when(messageContext.getProperty(RESTConstants.REST_API_CONTEXT)).thenReturn("/api1");
Mockito.when(messageContext.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION)).thenReturn("1.0");
Mockito.when(messageContext.getProperty(APIConstants.API_ELECTED_RESOURCE)).thenReturn("/pet/findByStatus");
APIManagerConfiguration apiManagerConfiguration = Mockito.mock(APIManagerConfiguration.class);
Mockito.when(apiManagerConfiguration.getFirstProperty(APIConstants.JWT_AUTHENTICATION_SUBSCRIPTION_VALIDATION)).thenReturn("true");
jwtValidator.setApiManagerConfiguration(apiManagerConfiguration);
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
apiKeyValidationInfoDTO.setApiName("api1");
apiKeyValidationInfoDTO.setApiPublisher("admin");
apiKeyValidationInfoDTO.setApiTier("Unlimited");
apiKeyValidationInfoDTO.setAuthorized(true);
Mockito.when(apiKeyValidator.validateScopes(Mockito.any(TokenValidationContext.class), Mockito.anyString())).thenReturn(true);
Mockito.when(apiKeyValidator.validateSubscription(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString())).thenReturn(apiKeyValidationInfoDTO);
AuthenticationContext authenticate = jwtValidator.authenticate(signedJWTInfo, messageContext);
Mockito.verify(apiKeyValidator).validateSubscription(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
Assert.assertNotNull(authenticate);
Assert.assertEquals(authenticate.getApiName(), "api1");
Assert.assertEquals(authenticate.getApiPublisher(), "admin");
Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey());
Mockito.when(gatewayTokenCache.get(signedJWT.getJWTClaimsSet().getJWTID())).thenReturn("carbon.super");
Mockito.when(gatewayKeyCache.get(signedJWT.getJWTClaimsSet().getJWTID())).thenReturn(jwtValidationInfo);
authenticate = jwtValidator.authenticate(signedJWTInfo, messageContext);
Assert.assertNotNull(authenticate);
Assert.assertEquals(authenticate.getApiName(), "api1");
Assert.assertEquals(authenticate.getApiPublisher(), "admin");
Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey());
Mockito.verify(jwtValidationService, Mockito.only()).validateJWTToken(signedJWTInfo);
Mockito.verify(gatewayTokenCache, Mockito.atLeast(1)).get(signedJWT.getJWTClaimsSet().getJWTID());
}
Also used :
APIManagerConfiguration(org.wso2.carbon.apimgt.impl.APIManagerConfiguration)
AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)
TokenValidationContext(org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)
HashMap(java.util.HashMap)
JWTValidationService(org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)
APIKeyValidator(org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWTValidationInfo(org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)
ExtendedJWTConfigurationDto(org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)
MessageContext(org.apache.synapse.MessageContext)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
Cache(javax.cache.Cache)
Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 20 with SignedJWTInfo
use of org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo in project carbon-apimgt by wso2.
the class JWTValidatorTest method testValidateScopesForGraphQLSubscriptions.
@Test
public void testValidateScopesForGraphQLSubscriptions() throws ParseException {
String apiContext = "/graphql";
String apiVersion = "1.0.0";
String matchingResource = "/subresource";
SignedJWT signedJWT = SignedJWT.parse("eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFp" + "UQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0" + "dZd01XSTBaV05tTkRjeE5HWXdZbU00WlRBM01XSTJOREF6WkdRek5HTTBaR1JsTmpKa09ERmtaRFJpT1RGa01XRmhNelUyW" + "kdWbE5nX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF1dCI6IkFQUExJQ0FUSU9OIiwiYXVkIjoidT" + "ljaTNDRmRRUDZJNG9DNU84VFcwZklBRXRnYSIsIm5iZiI6MTYzNjkxNTk4OCwiYXpwIjoidTljaTNDRmRRUDZJNG9DNU84VFc" + "wZklBRXRnYSIsInNjb3BlIjoic2NvcGUxIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2Vu" + "IiwiZXhwIjoxNjM2OTE5NTg4LCJpYXQiOjE2MzY5MTU5ODgsImp0aSI6IjJiM2FmYTkxLTBjNDItNGUzNC1iYTliLTc3ZmVkND" + "dkMGNmZCJ9.J8VkCSDUMCUNdJrpbRJy_cj5YazIrdRyNKTJ-9Lv1EabUgwENX1XQcUioSqF686ESI_PvUxYZIwViybVIIGVRuxM" + "Tp9vCMQDWhxXPCuehahul7Ebn0mQtrM7K2fwL0DpyKpI0ER_UYH-PgNvnHS0f3zmJdUBNao2QwuWorXMuwzSw3oPcdHcYmF9" + "Jn024J8Dv3ipHtzEgSc26ULVRaO9bDzJZochzQzqdkxjLMDMBYmKizXOCXEcXJYrEnQpTRHQGOuRN9stXePvO9_gFGVTenun" + "9pBT7Yw7D3Sd-qg-r_AnExOjQu8QwZRjTh_l09YwBYIrMdhSbtXpeAy0GNrc0w");
SignedJWTInfo signedJWTInfo = new SignedJWTInfo(signedJWT.getParsedString(), signedJWT, signedJWT.getJWTClaimsSet());
AuthenticationContext authenticationContext = new AuthenticationContext();
authenticationContext.setRequestTokenScopes(new ArrayList<String>() {
{
add("scope1");
}
});
APIKeyValidator apiKeyValidator = Mockito.mock(APIKeyValidator.class);
ExtendedJWTConfigurationDto jwtConfigurationDto = new ExtendedJWTConfigurationDto();
JWTValidationService jwtValidationService = Mockito.mock(JWTValidationService.class);
Cache gatewayTokenCache = Mockito.mock(Cache.class);
Cache invalidTokenCache = Mockito.mock(Cache.class);
Cache gatewayKeyCache = Mockito.mock(Cache.class);
Cache gatewayJWTTokenCache = Mockito.mock(Cache.class);
JWTValidatorWrapper jwtValidator = new JWTValidatorWrapper("Unlimited", true, apiKeyValidator, false, null, jwtConfigurationDto, jwtValidationService, invalidTokenCache, gatewayTokenCache, gatewayKeyCache, gatewayJWTTokenCache);
try {
Mockito.when(apiKeyValidator.validateScopes(Mockito.any(TokenValidationContext.class), Mockito.anyString())).thenReturn(true);
jwtValidator.validateScopesForGraphQLSubscriptions(apiContext, apiVersion, matchingResource, signedJWTInfo, authenticationContext);
} catch (APISecurityException e) {
Assert.fail();
}
try {
Mockito.when(apiKeyValidator.validateScopes(Mockito.any(TokenValidationContext.class), Mockito.anyString())).thenReturn(false);
jwtValidator.validateScopesForGraphQLSubscriptions(apiContext, apiVersion, matchingResource, signedJWTInfo, authenticationContext);
} catch (APISecurityException e) {
Assert.assertEquals(e.getErrorCode(), APISecurityConstants.INVALID_SCOPE);
String message = "User is NOT authorized to access the Resource: " + matchingResource + ". Scope validation failed.";
Assert.assertEquals(e.getMessage(), message);
}
}
Also used :
APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)
AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)
ExtendedJWTConfigurationDto(org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)
TokenValidationContext(org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)
JWTValidationService(org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)
APIKeyValidator(org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)
SignedJWT(com.nimbusds.jwt.SignedJWT)
SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)
Cache(javax.cache.Cache)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Aggregations
JWTValidationInfo (org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)22
SignedJWTInfo (org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)18
SignedJWT (com.nimbusds.jwt.SignedJWT)15
APISecurityException (org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)15
APIKeyValidationInfoDTO (org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)15
Cache (javax.cache.Cache)12
Axis2MessageContext (org.apache.synapse.core.axis2.Axis2MessageContext)12
APIKeyValidator (org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)11
AuthenticationContext (org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)11
HashMap (java.util.HashMap)10
Test (org.junit.Test)10
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)10
ExtendedJWTConfigurationDto (org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)10
JWTValidationService (org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)10
TokenValidationContext (org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)10
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)9
MessageContext (org.apache.synapse.MessageContext)9
APIManagerConfiguration (org.wso2.carbon.apimgt.impl.APIManagerConfiguration)9
APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)7
ParseException (java.text.ParseException)6
